Proposed SEC Rules for Cybersecurity Risk Management: What Investment Advisory Firms Need to Know

Feb 22nd '22

The Securities and Exchange Commission (SEC) has proposed new rules that would require registered investment advisers, registered investment companies, and business development companies to:


  1. Adopt and implement written cybersecurity policies and procedures meant to address cybersecurity risks
  2. Report any significant cybersecurity incidents to the SEC
  3. Implement new information security recordkeeping requirements
  4. Disclose certain cybersecurity incidents in their brochure or registration statement


Cybersecurity threats continue to grow more sophisticated and can be costly to firms and investors. The SEC believes these rules, which are currently within a period of public review and comment, will improve cybersecurity, increase the resiliency of financial service providers, protect investors, and help maintain orderly markets.


While the goals for this proposed rule change are straightforward, the impact upon firms may be far reaching, including:


  1. Requiring additional firm investments focused on cybersecurity
  2. Updating systems to adhere to 48-hour mandatory reporting requirements for significant cybersecurity incidents on Form ADV-C
  3. Enhancing cybersecurity policies and oversight procedures
  4. Implementing books and recordkeeping requirements related to cybersecurity practices


  • Board-level impact on cybersecurity playbooks

Amendments to Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adapt and implement cybersecurity policies and procedures to include the following.


  1. Risk assessment: Periodically assess, categorize, prioritize, and document cybersecurity risks associated with the business.
  2. User security and access: Design controls to minimize user-related risks and prevent unauthorized access to information and systems.
  3. Information protection: Monitor systems to protect information from unauthorized access or use, identify suspicious behaviors, and periodically reassess what information resides on systems.
  4. Threat and vulnerability management: Design ongoing controls that detect, mitigate, and remediate cybersecurity threats and vulnerabilities of information and systems.
  5. Cybersecurity incident response and recovery: Implement measures to detect, respond to, and recover from a cybersecurity incident.


It will be crucial for firms to establish a process for continuously assessing cybersecurity and technology risk by monitoring their current systems and establishing and regularly testing procedures. The proposed rule will require that firms review and assess the effectiveness of their policies and procedures, at least annually, and prepare a written report.


The report should describe the annual review and assessment, any tests performed, and their results. It should document any cybersecurity incidents and discuss material changes to policies and procedures. Additionally, proposed amendments to Rule 38a-2 would require these policies and procedures to be approved and reviewed, at least annually, by the firm’s Board of Directors.


Whether you’re administering your policies and procedures in-house or engaging a third-party cybersecurity risk management service, make sure to identify how these review elements will be conducted and the appropriate escalation process to senior officers of the firm.


  • Recordkeeping: Written Information Security Procedures (WISPs)

Amendments to Rules 206-2 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement recordkeeping requirements such as maintaining copies of policies, procedures, reports, and reviews, including Board oversight as appropriate. Additionally, firms will be required to retain all reports and documents pertaining to cybersecurity incidents, and all records pertaining to the cybersecurity risk assessment.


In typical fashion, these documents should be retained for a five-year period, with the most recent two years in an easily accessible place.


  • 48-Hour Reporting of Cybersecurity Incidents and Disclosure

The proposed rule would stipulate that significant cybersecurity incidents would be reportable to the SEC. Advisers would be required to submit, promptly to the SEC (typically within 48 hours), the new Form ADV-C which includes questions on the nature and scope of the incident and whether disclosure was made to investors. The new Form ADV-C will be submitted electronically and structured as a series of check-the-box and fill-in-the-blank questions to help the SEC enhance examinations and assess trends.


Firms would be required to disclosure cybersecurity risks and incidents, in plain English, under the proposed amendments on their regulatory documents (e.g., Form ADV Part 2A, N-1A, S-6). These reporting and disclosure requirements will more directly address cybersecurity risks and incidents and how they may or have already materially impacted the firm’s business. Firms would also be required to promptly deliver updated disclosure documents to investors following any material amendments to the document.


  • Supervisory and policy steps to be prepared

While most firms have existing cybersecurity playbooks addressing the many layers of information security, the proposed SEC cybersecurity risk management rules call for firms to examine those procedures to ensure they include:


  1. A comprehensive cybersecurity policy for firms per industry standards such as NIST 800-53 and ISO 27001
  2. Assurance that firms have a system to continuously monitor cybersecurity risks across devices, users, networks and vendors and to make sure that systems match the policy of record
  3. Risk management program collaboration across technology, risk, and compliance to assess risks and investigate threats
  4. Development of an incident response log to ensure the firm’s cybersecurity playbook is up to date with rule requirements
  5. An inventory in the cybersecurity playbook that includes hardware, software, and data information and their corresponding cybersecurity controls
  6. Assurance that incident logs, cybersecurity policies, revisions and cybersecurity monitoring reports are archived in a manner that complies with SEC 17a-4 storage requirements
  7. Controls designed to minimize third party risks, including security and access control capabilities of application and content providers who store and maintain firm data in the cloud
  8. Tuning of existing supervisory policies to ensure that areas of identified cybersecurity risk are incorporated into Written Supervisory Procedures (WSPs) and actively inspected
  9. Inclusion in vendor controls procedures and documentation for onboarding, ongoing monitoring, off-boarding, and handling of non-public client information
  10. On-going cybersecurity training for employees, third parties, and consultants


The SEC has stated that implementing these requirements should be part of the firm’s fiduciary duty to apply practices that are in the best interest of their clients. Firms should take steps to minimize cybersecurity risks that could lead to significant business disruptions and harm to investors.


  • How can Smarsh help

In addition to our portfolio of capture, archiving, and supervisory solutions, Smarsh has extended its cybersecurity portfolio with the additions of Entreda and Privva to add device and network protection and ensure potential exposures are identified prior to hitting long-term systems of record.


Entreda Unify monitors devices, users, networks and vendors continuously through a single-pane-of-glass platform. This includes a standard incident response template to log cybersecurity incidents for investigation and remediation. Cybersecurity policies and incident reports/alerts/notifications are sent to users via email and, assuming clients have Smarsh, the email reports are saved as part of 17a-4 storage.


Entreda Unify subscriptions include a cybersecurity policy generator that makes it easy for firms to build and manage their cybersecurity policy based on NIST 800-53 guidelines Additionally, generating the policy through Entreda Unify ensures that the policy of record matches implementation.


You can learn more about expected regulatory changes of 2022 here.


Featured article

SEC and Financial Industry Regulatory Authority (FINRA) Gain Steam Heading into 2022. Read More.


Source: Smarsh – Author: Tiffany Magri


About the author

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.


About us

At LS Consultancy, we provide a cost-effective and timely copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


We are experts in Marketing and Compliance, and work with a range of firms to assist with improving their documents, processes and systems to help mitigate risk.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us



Why Not Download our FREE Brochures! Click here.


Call Us Today on 020 8087 2377 or send us an email.


You can see our Google reviews here.


We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…